Configure and verify DNS Name Resolution for Azure Purview private endpoints
Important
If you created a portal private endpoint for your Purview account prior to 27 September 2021 at 15:30 UTC, you'll need to take the required actions as detailed in, Reconfigure DNS for portal private endpoints. These actions must be completed before November 12, 2021. Failing to do so will cause existing portal private endpoints to stop functioning.
Conceptual overview
Accurate name resolution is a critical requirement when setting up private endpoints for your Azure Purview accounts.
You may require enabling internal name resolution in your DNS settings to resolve the private endpoint IP addresses to the fully qualified domain name (FQDN) from data sources and your management machine to Azure Purview account and self-hosted integration runtime, depending on scenarios that you are deploying.
The following example shows Azure Purview DNS name resolution from outside the virtual network or when an Azure private endpoint is not configured.
The following example shows Azure Purview DNS name resolution from inside the virtual network.
Deployment options
Use any of the following options to set up internal name resolution when using private endpoints for your Azure Purview account:
- Deploy new Azure Private DNS Zones in your Azure environment part of private endpoint deployment. (Default option)
- Use existing Azure Private DNS Zones. Use this option if you using a private endpoint in a hub-and-spoke model from a different subscription or even within the same subscription.
- Use your own DNS Servers if you do not use DNS forwarders and instead you manage A records directly in your on-premises DNS servers.
Option 1 - Deploy new Azure Private DNS Zones
Deploy new Azure Private DNS Zones
To enable internal name resolution, you can deploy the required Azure DNS Zones inside your Azure subscription where Azure Purview account is deployed.
When you create ingestion, portal and account private endpoints, the DNS CNAME resource records for Azure Purview is automatically updated to an alias in few subdomains with the prefix privatelink:
By default, during the deployment of account private endpoint for your Purview account, we also create a private DNS zone that corresponds to the
privatelinksubdomain for Azure Purview asprivatelink.purview.azure.comincluding DNS A resource records for the private endpoints.During the deployment of portal private endpoint for your Purview account, we also create a new private DNS zone that corresponds to the
privatelinksubdomain for Azure Purview asprivatelink.purviewstudio.azure.comincluding DNS A resource records for Web.If you enable ingestion private endpoints, additional DNS zones are required for managed resources.
The following table shows an example of Azure Private DNS zones and DNS A Records that are deployed as part of configuration of private endpoint for an Azure Purview account if you enable Private DNS integration during the deployment:
| Private endpoint | Private endpoint associated to | DNS Zone (new) | A Record (example) |
|---|---|---|---|
| Account | Azure Purview | privatelink.purview.azure.com |
Contoso-Purview |
| Portal | Azure Purview | privatelink.purviewstudio.azure.com |
Web |
| Ingestion | Purview managed Storage Account - Blob | privatelink.blob.core.windows.net |
scaneastusabcd1234 |
| Ingestion | Purview managed Storage Account - Queue | privatelink.queue.core.windows.net |
scaneastusabcd1234 |
| Ingestion | Purview managed Storage Account - Event Hub | privatelink.servicebus.windows.net |
atlas-12345678-1234-1234-abcd-123456789abc |
Validate virtual network links on Azure Private DNS Zones
Once the private endpoint deployment is completed, make sure there is a Virtual network link on all corresponding Azure Private DNS zones to Azure virtual network where private endpoint was deployed.
For more information, see Azure private endpoint DNS configuration.
Verify internal name resolution
When you resolve the Azure Purview endpoint URL from outside the virtual network with the private endpoint, it resolves to the public endpoint of Azure Purview. When resolved from the virtual network hosting the private endpoint, the Azure Purview endpoint URL resolves to the private endpoint's IP address.
As an example, if an Azure Purview account name is 'Contoso-Purview', when it is resolved from outside the virtual network that hosts the private endpoint, it will be:
| Name | Type | Value |
|---|---|---|
Contoso-Purview.purview.azure.com |
CNAME | Contoso-Purview.privatelink.purview.azure.com |
Contoso-Purview.privatelink.purview.azure.com |
CNAME | <Purview public endpoint> |
| <Purview public endpoint> | A | <Purview public IP address> |
Web.purview.azure.com |
CNAME | <Purview Studio public endpoint> |
The DNS resource records for Contoso-Purview, when resolved in the virtual network hosting the private endpoint, will be:
| Name | Type | Value |
|---|---|---|
Contoso-Purview.purview.azure.com |
CNAME | Contoso-Purview.privatelink.purview.azure.com |
Contoso-Purview.privatelink.purview.azure.com |
A | <Purview account private endpoint IP address> |
Web.purview.azure.com |
CNAME | <Purview portal private endpoint IP address> |
Option 2 - Use existing Azure Private DNS Zones
Use existing Azure Private DNS Zones
During the deployment of Azure purview private endpoints, you can choose Private DNS integration using existing Azure Private DNS zones. This is common case for organizations where private endpoint is used for other services in Azure. In this case, during the deployment of private endpoints, make sure you select the existing DNS zones instead of creating new ones.
This scenario also applies if your organization uses a central or hub subscription for all Azure Private DNS Zones.
The following list shows the required Azure DNS zones and A records for Purview private endpoints:
Note
Update all names with Contoso-Purview,scaneastusabcd1234 and atlas-12345678-1234-1234-abcd-123456789abc with corresponding Azure resources name in your environment. For example, instead of scaneastusabcd1234 use the name of your Azure Purview managed storage account.
| Private endpoint | Private endpoint associated to | DNS Zone (existing) | A Record (example) |
|---|---|---|---|
| Account | Azure Purview | privatelink.purview.azure.com |
Contoso-Purview |
| Portal | Azure Purview | privatelink.purviewstudio.azure.com |
Web |
| Ingestion | Purview managed Storage Account - Blob | privatelink.blob.core.windows.net |
scaneastusabcd1234 |
| Ingestion | Purview managed Storage Account - Queue | privatelink.queue.core.windows.net |
scaneastusabcd1234 |
| Ingestion | Purview managed Storage Account - Event Hub | privatelink.servicebus.windows.net |
atlas-12345678-1234-1234-abcd-123456789abc |
For more information, see Virtual network workloads without custom DNS server and On-premises workloads using a DNS forwarder scenarios in Azure Private Endpoint DNS configuration.
Verify virtual network links on Azure Private DNS Zones
Once the private endpoint deployment is completed, make sure there is a Virtual network link on all corresponding Azure Private DNS zones to Azure virtual network where private endpoint was deployed.
For more information, see Azure private endpoint DNS configuration.
Configure DNS Forwarders if custom DNS is used
Additionally it is required to validate your DNS configurations on Azure virtual network where self-hosted integration runtime VM or management PC is located.
If it is configured to Default, no further action is required in this step.
If custom DNS server is used, you should add corresponding DNS forwarders inside your DNS servers for the following zones:
- Purview.azure.com
- Blob.core.windows.net
- Queue.core.windows.net
- Servicebus.windows.net
Verify internal name resolution
When you resolve the Azure Purview endpoint URL from outside the virtual network with the private endpoint, it resolves to the public endpoint of Azure Purview. When resolved from the virtual network hosting the private endpoint, the Azure Purview endpoint URL resolves to the private endpoint's IP address.
As an example, if an Azure Purview account name is 'Contoso-Purview', when it is resolved from outside the virtual network that hosts the private endpoint, it will be:
| Name | Type | Value |
|---|---|---|
Contoso-Purview.purview.azure.com |
CNAME | Contoso-Purview.privatelink.purview.azure.com |
Contoso-Purview.privatelink.purview.azure.com |
CNAME | <Purview public endpoint> |
| <Purview public endpoint> | A | <Purview public IP address> |
Web.purview.azure.com |
CNAME | <Purview Studio public endpoint> |
The DNS resource records for Contoso-Purview, when resolved in the virtual network hosting the private endpoint, will be:
| Name | Type | Value |
|---|---|---|
Contoso-Purview.purview.azure.com |
CNAME | Contoso-Purview.privatelink.purview.azure.com |
Contoso-Purview.privatelink.purview.azure.com |
A | <Purview account private endpoint IP address> |
Web.purview.azure.com |
CNAME | <Purview portal private endpoint IP address> |
Option 3 - Use your own DNS Servers
If you do not use DNS forwarders and instead you manage A records directly in your on-premises DNS servers to resolve the endpoints through their private IP addresses, you might need to create the following A records in your DNS servers.
Note
Update all names with Contoso-Purview,scaneastusabcd1234 and atlas-12345678-1234-1234-abcd-123456789abc with corresponding Azure resources name in your environment. For example, instead of scaneastusabcd1234 use the name of your Azure Purview managed storage account.
| Name | Type | Value |
|---|---|---|
web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
scaneastusabcd1234.blob.core.windows.net |
A | <blob-ingestion private endpoint IP address of Azure Purview> |
scaneastusabcd1234.queue.core.windows.net |
A | <queue-ingestion private endpoint IP address of Azure Purview> |
atlas-12345678-1234-1234-abcd-123456789abc.servicebus.windows.net |
A | <namespace-ingestion private endpoint IP address of Azure Purview> |
Contoso-Purview.Purview.azure.com |
A | <account private endpoint IP address of Azure Purview> |
Contoso-Purview.scan.Purview.azure.com |
A | <account private endpoint IP address of Azure Purview> |
Contoso-Purview.catalog.Purview.azure.com |
A | <account private endpoint IP address of Azure Purview> |
Contoso-Purview.proxy.purview.azure.com |
A | <account private endpoint IP address of Azure Purview> |
Contoso-Purview.guardian.purview.azure.com |
A | <account private endpoint IP address of Azure Purview> |
gateway.purview.azure.com |
A | <account private endpoint IP address of Azure Purview> |
Contoso-Purview.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
manifest.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
cdn.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
hub.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
catalog.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
cseo.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
datascan.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
datashare.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
datasource.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
policy.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
sensitivity.prod.ext.web.purview.azure.com |
A | <portal private endpoint IP address of Azure Purview> |
Verify and DNS test name resolution and connectivity
If you are using Azure Private DNS Zones, make sure the following DNS Zones and the corresponding A records are created in your Azure Subscription:
Private endpoint Private endpoint associated to DNS Zone A Record )(example) Account Azure Purview privatelink.purview.azure.comContoso-Purview Portal Azure Purview privatelink.purviewstudio.azure.comWeb Ingestion Purview managed Storage Account - Blob privatelink.blob.core.windows.netscaneastusabcd1234 Ingestion Purview managed Storage Account - Queue privatelink.queue.core.windows.netscaneastusabcd1234 Ingestion Purview managed Storage Account - Event Hub privatelink.servicebus.windows.netatlas-12345678-1234-1234-abcd-123456789abc Create Virtual network links in your Azure Private DNS Zones for your Azure Virtual Networks to allow internal name resolution.
From your management PC and self-hosted integration runtime VM, test name resolution and network connectivity to your Azure Purview account using tools such as Nslookup.exe and PowerShell
To test name resolution you need to resolve the following FQDNs through their private IP addresses: (Instead of Contoso-Purview, scaneastusabcd1234 or atlas-12345678-1234-1234-abcd-123456789abc, use the hostname associated with your purview account name and managed resources names)
Contoso-Purview.purview.azure.comweb.purview.azure.comscaneastusabcd1234.blob.core.windows.netscaneastusabcd1234.queue.core.windows.netatlas-12345678-1234-1234-abcd-123456789abc.servicebus.windows.net
To test network connectivity, from self-hosted integration runtime VM you can launch PowerShell console and test connectivity using Test-NetConnection.
You must resolve each endpoint by their private endpoint and obtain TcpTestSucceeded as True. (Instead of Contoso-Purview, scaneastusabcd1234 or atlas-12345678-1234-1234-abcd-123456789abc, use the hostname associated with your purview account name and managed resources names)
Test-NetConnection -ComputerName Contoso-Purview.purview.azure.com -port 443Test-NetConnection -ComputerName web.purview.azure.com -port 443Test-NetConnection -ComputerName scaneastusabcd1234.blob.core.windows.net -port 443Test-NetConnection -ComputerName scaneastusabcd1234.queue.core.windows.net -port 443Test-NetConnection -ComputerName atlas-12345678-1234-1234-abcd-123456789abc.servicebus.windows.net -port 443